Skip to main content
Blog

Everything You Need to Know About Zoom App Vulnerability

By April 11, 2020No Comments6 min read
Zoom App Vulnerability

The coronavirus outbreak has forced employees to embrace remote work. They are using tools like Zoom for conducting virtual meetings. You can use Zoom for hosting everything from yoga classes to virtual meetings. Most educational institutions are also using it for conducting online classes. The app had 10 million active users in December. However, now more than 200 million users are using it every day. It has become a household name now.

The developers of this app have used sloppy design practices. Thus, there are various security bugs in this app. Zoom was designed for enterprise chat. However, now even regular consumers are using this app. The company is trying its best to fix these security bugs. In this article, we are going to talk about all the security vulnerabilities in this app.

  1. Zoom is sharing data with third-party providers

According to the Zoom privacy policy, they can collect the data of their users. Thus, they can collect data like shared notes, transcripts and videos. Also, they can sell this data to other third-parties for profit. Zoom has already tightened its policy. However, they will use this data if people are using their marketing websites. This is applicable to the home page of the zoom site.

  1. Zoom is sending data to FB

According to a report by the Vice, the Zoom app is sending data to the Facebook platform. They are sending this data even if their users don’t have a FB account. The zoom was actually using Facebook SDK. Thus, it was sending analytic data to Facebook.

Zoom has already removed the FB SDK from their app. The Vice article has also confirmed that zoom has removed this bug. Also, it was sending basic things like storage space and screen size. Zoom app was not sending sensitive data like usernames and passwords. This problem mainly occurs due to the RAD or Rapid application development model. Most developers don’t know about the effects of using other apps SDK. The developers only wanted to use FB SSO. However, the SDK was also capable of tracking its users.

  1. End-to-end encryption

According to a report by The Intercept, the Zoom calls are not using end-to-end encryption. Thus, hackers can intercept conversations. Zoom was claiming on their website that they are using end-to-end encryption. However, they are not actually enforcing this encryption. This can be very bad for some people. If you are sharing sensitive data on the Zoom app, then hackers can easily intercept your communication.

However, Zoom is still providing some form of encryption. Thus, only they have the power to decrypt your data. This is actually different from the end-to-end encryption approach. In E2E, only the parties can check the content of their calls. However, Zoom is actually using TLS or Transport-layer security. Thus, they can also check your calls. Your calls are still secured. Your ISP or people in your network can’t intercept your calls. Thus, it is similar to an HTTPS interaction. This level of security is good for most customers.

Zoom is not going to implement E2E for at least some months. Also, other video conferencing apps are also not offering E2E to their clients. The Facetime is offering E2E to its users. However, you can only use it on Apple devices. Thus, slack is still the best choice for most people.

  1. UNC Paths

According to a report by Bleeping Computer, attackers can use the Zoom app for stealing windows passwords. The attackers can use the Zoom app for converting UNC paths into links. Thus, they can steal the Windows passwords of their victim.

Zoom app has already fixed this issue on April 1. However, we don’t think that this was a serious security vulnerability. The attackers need to send a link to their victims. They will only receive the passwords if the victim clicks on that link. Thus, it is similar to the classic phishing campaign. The attacker first needs to be on the same call. Thus, it is very difficult to hack Windows passwords by using this vulnerability.

  1. Local Privilege Escalation

According to a report by TechCrunch, there is a 0-day vulnerability in the Zoom app. The attackers can take advantage of the sloppy software design for executing these bugs. However, Zoom has already fixed these exploits.

If you are using the Zoom app, then you should download their latest security patch. They have already addressed both security issues. However, it was not easy to execute this exploit. The attacker needs to write files on the Macbook of the victim. This attack is becoming harder with time. It is very difficult to execute local privilege escalation attacks on mobile devices. However, it is impossible to defend computers from this attack. Thus, almost every developer worries about how they are delivering the executable content to their users. If attackers can install the software on your computer, then they are already close to the root access.

The security professionals have already discovered this serious bug. Also, the Zoom team has already fixed this bug. Thus, you don’t need to worry about this security vulnerability.

Conclusion

There are many other small security bugs discovered in the Zoom app. However, Zoom has already responded to these security disclosures. They have already patched most security issues. Zoom developers are also not going to release any new feature for the next 90 days. This will help them in focusing on other security bugs. However, many people are wondering if this app is safe. Many people are thinking that the Zoom app is full of security bugs. Zoom has implemented its own encryption. This is a red flag for most organizations. However, this is not going to affect regular users. If you are a regular user, then Zoom security is perfect for you. You can use this app for holding casual conversations. If you want to share some sensitive information, then you should use other options like Wire and Signal. However, Zoom is a perfect remote tool for regular users. If you need more tips regarding security, then you can contact Bleuwire.

Contact us today to learn about Bleuwire™  services and solutions in how we can help your business.